Make the -inform option to be respected if possible

Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.

The input type format is enforced only in case the file
type file store is used.

By default we use FORMAT_UNDEF meaning the input type
is not enforced.

Fixes #14569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)

apps/ca.c

@@ -274,7 +274,7 @@ int ca_main(int argc, char **argv)
     char def_dgst[80] = "";
     char *dgst = NULL, *policy = NULL, *keyfile = NULL;
     char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
-    int certformat = FORMAT_PEM, informat = FORMAT_PEM;
+    int certformat = FORMAT_UNDEF, informat = FORMAT_UNDEF;
     const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
     const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
     char *passin = NULL;
@@ -289,7 +289,7 @@ int ca_main(int argc, char **argv)
     size_t outdirlen = 0;
     int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
     int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
-    int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
+    int keyformat = FORMAT_UNDEF, multirdn = 1, notext = 0, output_der = 0;
     int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
     int rand_ser = 0, i, j, selfsign = 0, def_ret;
     char *crl_lastupdate = NULL, *crl_nextupdate = NULL;
@@ -594,7 +594,7 @@ end_of_options:
             && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
             goto end;
 
-        x509 = load_cert_pass(certfile, 1, passin, "CA certificate");
+        x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate");
         if (x509 == NULL)
             goto end;
 
@@ -1287,7 +1287,7 @@ end_of_options:
         } else {
             X509 *revcert;
 
-            revcert = load_cert_pass(infile, 1, passin,
+            revcert = load_cert_pass(infile, informat, 1, passin,
                                      "certificate to be revoked");
             if (revcert == NULL)
                 goto end;
@@ -1417,7 +1417,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
     EVP_PKEY *pktmp = NULL;
     int ok = -1, i;
 
-    if ((template_cert = load_cert_pass(infile, 1, passin,
+    if ((template_cert = load_cert_pass(infile, certformat, 1, passin,
                                         "template certificate")) == NULL)
         goto end;
     if (verbose)

apps/cmp.c

@@ -131,8 +131,8 @@ static int opt_revreason = CRL_REASON_NONE;
 /* credentials format */
 static char *opt_certform_s = "PEM";
 static int opt_certform = FORMAT_PEM;
-static char *opt_keyform_s = "PEM";
-static int opt_keyform = FORMAT_PEM;
+static char *opt_keyform_s = NULL;
+static int opt_keyform = FORMAT_UNDEF;
 static char *opt_otherpass = NULL;
 static char *opt_engine = NULL;
 
@@ -635,7 +635,7 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc)
     X509 *cert;
     char *pass_string = get_passwd(pass, desc);
 
-    cert = load_cert_pass(uri, 0, pass_string, desc);
+    cert = load_cert_pass(uri, FORMAT_UNDEF, 0, pass_string, desc);
     clear_free(pass_string);
     return cert;
 }

apps/cms.c

@@ -292,7 +292,7 @@ int cms_main(int argc, char **argv)
     int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
     int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
     int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1;
-    int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
+    int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_UNDEF;
     size_t secret_keylen = 0, secret_keyidlen = 0;
     unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
     unsigned char *secret_key = NULL, *secret_keyid = NULL;
@@ -611,7 +611,8 @@ int cms_main(int argc, char **argv)
             if (operation == SMIME_ENCRYPT) {
                 if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
                     goto end;
-                cert = load_cert(opt_arg(), "recipient certificate file");
+                cert = load_cert(opt_arg(), FORMAT_UNDEF,
+                                 "recipient certificate file");
                 if (cert == NULL)
                     goto end;
                 sk_X509_push(encerts, cert);
@@ -810,7 +811,8 @@ int cms_main(int argc, char **argv)
             if ((encerts = sk_X509_new_null()) == NULL)
                 goto end;
         while (*argv) {
-            if ((cert = load_cert(*argv, "recipient certificate file")) == NULL)
+            if ((cert = load_cert(*argv, FORMAT_UNDEF,
+                                  "recipient certificate file")) == NULL)
                 goto end;
             sk_X509_push(encerts, cert);
             cert = NULL;
@@ -826,7 +828,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
-        if ((recip = load_cert(recipfile,
+        if ((recip = load_cert(recipfile, FORMAT_UNDEF,
                                "recipient certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -834,7 +836,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (originatorfile != NULL) {
-        if ((originator = load_cert(originatorfile,
+        if ((originator = load_cert(originatorfile, FORMAT_UNDEF,
                                     "originator certificate file")) == NULL) {
              ERR_print_errors(bio_err);
              goto end;
@@ -842,7 +844,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (operation == SMIME_SIGN_RECEIPT) {
-        if ((signer = load_cert(signerfile,
+        if ((signer = load_cert(signerfile, FORMAT_UNDEF,
                                 "receipt signer certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -1048,7 +1050,7 @@ int cms_main(int argc, char **argv)
             signerfile = sk_OPENSSL_STRING_value(sksigners, i);
             keyfile = sk_OPENSSL_STRING_value(skkeys, i);
 
-            signer = load_cert(signerfile, "signer certificate");
+            signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate");
             if (signer == NULL) {
                 ret = 2;
                 goto end;

apps/crl.c

@@ -88,7 +88,7 @@ int crl_main(int argc, char **argv)
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog;
     OPTION_CHOICE o;
     int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF;
     int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
     int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0, noCAstore = 0;
     int i;
@@ -211,7 +211,7 @@ int crl_main(int argc, char **argv)
         if (!opt_md(digestname, &digest))
             goto opthelp;
     }
-    x = load_crl(infile, 1, "CRL");
+    x = load_crl(infile, informat, 1, "CRL");
     if (x == NULL)
         goto end;
 
@@ -256,7 +256,7 @@ int crl_main(int argc, char **argv)
             BIO_puts(bio_err, "Missing CRL signing key\n");
             goto end;
         }
-        newcrl = load_crl(crldiff, 0, "other CRL");
+        newcrl = load_crl(crldiff, informat, 0, "other CRL");
         if (!newcrl)
             goto end;
         pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");

apps/dgst.c

@@ -105,7 +105,7 @@ int dgst_main(int argc, char **argv)
     const char *sigfile = NULL;
     const char *md_name = NULL;
     OPTION_CHOICE o;
-    int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
+    int separator = 0, debug = 0, keyform = FORMAT_UNDEF, siglen = 0;
     int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
     int xoflen = 0;
     unsigned char *buf = NULL, *sigbuf = NULL;

apps/dsa.c

@@ -83,7 +83,7 @@ int dsa_main(int argc, char **argv)
     char *infile = NULL, *outfile = NULL, *prog;
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     OPTION_CHOICE o;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
     int modulus = 0, pubin = 0, pubout = 0, ret = 1;
     int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
     int private = 0;

apps/dsaparam.c

@@ -69,7 +69,7 @@ int dsaparam_main(int argc, char **argv)
     EVP_PKEY *params = NULL, *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
     int numbits = -1, num = 0, genkey = 0;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, noout = 0;
     int ret = 1, i, text = 0, private = 0;
     char *infile = NULL, *outfile = NULL, *prog;
     OPTION_CHOICE o;
@@ -181,7 +181,7 @@ int dsaparam_main(int argc, char **argv)
             goto end;
         }
     } else {
-        params = load_keyparams(infile, 1, "DSA", "DSA parameters");
+        params = load_keyparams(infile, informat, 1, "DSA", "DSA parameters");
     }
     if (params == NULL) {
         /* Error message should already have been displayed */

apps/ec.c

@@ -73,7 +73,7 @@ int ec_main(int argc, char **argv)
     char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     OPTION_CHOICE o;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
     int pubin = 0, pubout = 0, param_out = 0, ret = 1, private = 0;
     int check = 0;
     char *asn1_encoding = NULL;

apps/ecparam.c

@@ -240,7 +240,7 @@ int ecparam_main(int argc, char **argv)
             goto end;
         }
     } else {
-        params_key = load_keyparams(infile, 1, "EC", "EC parameters");
+        params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters");
         if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC"))
             goto end;
         if (point_format

apps/gendsa.c

@@ -121,7 +121,7 @@ int gendsa_main(int argc, char **argv)
         goto end;
     }
 
-    pkey = load_keyparams(dsaparams, 1, "DSA", "DSA parameters");
+    pkey = load_keyparams(dsaparams, FORMAT_UNDEF, 1, "DSA", "DSA parameters");
 
     out = bio_open_owner(outfile, FORMAT_PEM, private);
     if (out == NULL)

apps/include/apps.h

@@ -108,18 +108,19 @@ char *get_passwd(const char *pass, const char *desc);
 int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
 int add_oid_section(CONF *conf);
 X509_REQ *load_csr(const char *file, int format, const char *desc);
-X509 *load_cert_pass(const char *uri, int maybe_stdin,
+X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
                      const char *pass, const char *desc);
-#define load_cert(uri, desc) load_cert_pass(uri, 1, NULL, desc)
-X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc);
+#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
+X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
+                   const char *desc);
 void cleanse(char *str);
 void clear_free(char *str);
 EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
                    const char *pass, ENGINE *e, const char *desc);
 EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
                       const char *pass, ENGINE *e, const char *desc);
-EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype,
-                         const char *desc);
+EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
+                         const char *keytype, const char *desc);
 char *next_item(char *opt); /* in list separated by comma and/or space */
 int load_cert_certs(const char *uri,
                     X509 **pcert, STACK_OF(X509) **pcerts,
@@ -133,13 +134,13 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
                const char *pass, const char *desc);
 int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
               const char *pass, const char *desc);
-int load_key_certs_crls(const char *uri, int maybe_stdin,
+int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
                         const char *pass, const char *desc,
                         EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
                         EVP_PKEY **pparams,
                         X509 **pcert, STACK_OF(X509) **pcerts,
                         X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
-int load_key_cert_crl(const char *uri, int maybe_stdin,
+int load_key_cert_crl(const char *uri, int format, int maybe_stdin,
                       const char *pass, const char *desc,
                       EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
                       X509 **pcert, X509_CRL **pcrl);

apps/lib/apps.c

@@ -38,6 +38,7 @@
 #include <openssl/bn.h>
 #include <openssl/ssl.h>
 #include <openssl/store.h>
+#include <openssl/core_names.h>
 #include "s_apps.h"
 #include "apps.h"
 
@@ -478,7 +479,7 @@ CONF *app_load_config_modules(const char *configfile)
 #define IS_HTTPS(uri) ((uri) != NULL \
         && strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0)
 
-X509 *load_cert_pass(const char *uri, int maybe_stdin,
+X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
                      const char *pass, const char *desc)
 {
     X509 *cert = NULL;
@@ -490,7 +491,7 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
     else if (IS_HTTP(uri))
         cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */);
     else
-        (void)load_key_certs_crls(uri, maybe_stdin, pass, desc,
+        (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc,
                                   NULL, NULL, NULL, &cert, NULL, NULL, NULL);
     if (cert == NULL) {
         BIO_printf(bio_err, "Unable to load %s\n", desc);
@@ -499,7 +500,8 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
     return cert;
 }
 
-X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc)
+X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
+                   const char *desc)
 {
     X509_CRL *crl = NULL;
 
@@ -510,7 +512,7 @@ X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc)
     else if (IS_HTTP(uri))
         crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */);
     else
-        (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc,
+        (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc,
                                   NULL, NULL,  NULL, NULL, NULL, &crl, NULL);
     if (crl == NULL) {
         BIO_printf(bio_err, "Unable to load %s\n", desc);
@@ -524,6 +526,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc)
     X509_REQ *req = NULL;
     BIO *in;
 
+    if (format == FORMAT_UNDEF)
+        format = FORMAT_PEM;
     if (desc == NULL)
         desc = "CSR";
     in = bio_open_default(file, 'r', format);
@@ -570,7 +574,7 @@ EVP_PKEY *load_key(const char *uri, int format, int may_stdin,
     if (format == FORMAT_ENGINE) {
         uri = allocated_uri = make_engine_uri(e, uri, desc);
     }
-    (void)load_key_certs_crls(uri, may_stdin, pass, desc,
+    (void)load_key_certs_crls(uri, format, may_stdin, pass, desc,
                               &pkey, NULL, NULL, NULL, NULL, NULL, NULL);
 
     OPENSSL_free(allocated_uri);
@@ -589,22 +593,22 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
     if (format == FORMAT_ENGINE) {
         uri = allocated_uri = make_engine_uri(e, uri, desc);
     }
-    (void)load_key_certs_crls(uri, maybe_stdin, pass, desc,
+    (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc,
                               NULL, &pkey, NULL, NULL, NULL, NULL, NULL);
 
     OPENSSL_free(allocated_uri);
     return pkey;
 }
 
-EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype,
-                         const char *desc)
+EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
+                         const char *keytype, const char *desc)
 {
     EVP_PKEY *params = NULL;
 
     if (desc == NULL)
         desc = "key parameters";
 
-    (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc,
+    (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc,
                               NULL, NULL, &params, NULL, NULL, NULL, NULL);
     if (params != NULL && keytype != NULL && !EVP_PKEY_is_a(params, keytype)) {
         BIO_printf(bio_err,
@@ -698,7 +702,8 @@ int load_cert_certs(const char *uri,
         return ret;
     }
     pass_string = get_passwd(pass, desc);
-    ret = load_key_certs_crls(uri, 0, pass_string, desc, NULL, NULL, NULL,
+    ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass_string, desc,
+                              NULL, NULL, NULL,
                               pcert, pcerts, NULL, NULL);
     clear_free(pass_string);
 
@@ -800,7 +805,8 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
                const char *pass, const char *desc)
 {
     int was_NULL = *certs == NULL;
-    int ret = load_key_certs_crls(uri, maybe_stdin, pass, desc, NULL, NULL,
+    int ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin,
+                                  pass, desc, NULL, NULL,
                                   NULL, NULL, certs, NULL, NULL);
 
     if (!ret && was_NULL) {
@@ -818,7 +824,8 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
               const char *pass, const char *desc)
 {
     int was_NULL = *crls == NULL;
-    int ret = load_key_certs_crls(uri, 0, pass, desc, NULL, NULL, NULL,
+    int ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc,
+                                  NULL, NULL, NULL,
                                   NULL, NULL, NULL, crls);
 
     if (!ret && was_NULL) {
@@ -828,6 +835,17 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
     return ret;
 }
 
+static const char *format2string(int format)
+{
+    switch(format) {
+    case FORMAT_PEM:
+        return "PEM";
+    case FORMAT_ASN1:
+        return "DER";
+    }
+    return NULL;
+}
+
 /* Set type expectation, but clear it if objects of different types expected. */
 #define SET_EXPECT(val) expect = expect < 0 ? val : (expect == val ? val : 0);
 /*
@@ -843,7 +861,7 @@ int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
  * In any case (also on error) the caller is responsible for freeing all members
  * of *pcerts and *pcrls (as far as they are not NULL).
  */
-int load_key_certs_crls(const char *uri, int maybe_stdin,
+int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
                         const char *pass, const char *desc,
                         EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
                         EVP_PKEY **pparams,
@@ -863,6 +881,9 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
         pcrls != NULL ? "CRLs" : NULL;
     int cnt_expectations = 0;
     int expect = -1;
+    const char *input_type;
+    OSSL_PARAM itp[2];
+    const OSSL_PARAM *params = NULL;
     /* TODO make use of the engine reference 'eng' when loading pkeys */
 
     if (ppkey != NULL) {
@@ -915,6 +936,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
     uidata.password = pass;
     uidata.prompt_info = uri;
 
+    if ((input_type = format2string(format)) != NULL) {
+       itp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE,
+                                                 (char *)input_type, 0);
+       itp[1] = OSSL_PARAM_construct_end();
+       params = itp;
+    }
+
     if (uri == NULL) {
         BIO *bio;
 
@@ -927,12 +955,13 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
         bio = BIO_new_fp(stdin, 0);
         if (bio != NULL) {
             ctx = OSSL_STORE_attach(bio, "file", libctx, propq,
-                                    get_ui_method(), &uidata, NULL, NULL);
+                                    get_ui_method(), &uidata, params,
+                                    NULL, NULL);
             BIO_free(bio);
         }
     } else {
         ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata,
-                                 NULL, NULL);
+                                 params, NULL, NULL);
     }
     if (ctx == NULL) {
         BIO_printf(bio_err, "Could not open file or uri for loading");
@@ -2322,7 +2351,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
         DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
         urlptr = get_dp_url(dp);
         if (urlptr != NULL)
-            return load_crl(urlptr, 0, "CRL via CDP");
+            return load_crl(urlptr, FORMAT_UNDEF, 0, "CRL via CDP");
     }
     return NULL;
 }

apps/lib/s_cb.c

@@ -1019,7 +1019,8 @@ int load_excert(SSL_EXCERT **pexc)
             BIO_printf(bio_err, "Missing filename\n");
             return 0;
         }
-        exc->cert = load_cert(exc->certfile, "Server Certificate");
+        exc->cert = load_cert(exc->certfile, exc->certform,
+                              "Server Certificate");
         if (exc->cert == NULL)
             return 0;
         if (exc->keyfile != NULL) {

apps/ocsp.c

@@ -402,7 +402,7 @@ int ocsp_main(int argc, char **argv)
             path = opt_arg();
             break;
         case OPT_ISSUER:
-            issuer = load_cert(opt_arg(), "issuer certificate");
+            issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate");
             if (issuer == NULL)
                 goto end;
             if (issuers == NULL) {
@@ -414,7 +414,7 @@ int ocsp_main(int argc, char **argv)
             break;
         case OPT_CERT:
             X509_free(cert);
-            cert = load_cert(opt_arg(), "certificate");
+            cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate");
             if (cert == NULL)
                 goto end;
             if (cert_id_md == NULL)
@@ -565,7 +565,7 @@ int ocsp_main(int argc, char **argv)
     if (rsignfile != NULL) {
         if (rkeyfile == NULL)
             rkeyfile = rsignfile;
-        rsigner = load_cert(rsignfile, "responder certificate");
+        rsigner = load_cert(rsignfile, FORMAT_UNDEF, "responder certificate");
         if (rsigner == NULL) {
             BIO_printf(bio_err, "Error loading responder certificate\n");
             goto end;
@@ -581,7 +581,7 @@ int ocsp_main(int argc, char **argv)
             BIO_printf(bio_err, "Error getting password\n");
             goto end;
         }
-        rkey = load_key(rkeyfile, FORMAT_PEM, 0, passin, NULL,
+        rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL,
                         "responder private key");
         if (rkey == NULL)
             goto end;
@@ -661,7 +661,7 @@ redo_accept:
     if (signfile != NULL) {
         if (keyfile == NULL)
             keyfile = signfile;
-        signer = load_cert(signfile, "signer certificate");
+        signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate");
         if (signer == NULL) {
             BIO_printf(bio_err, "Error loading signer certificate\n");
             goto end;
@@ -671,7 +671,7 @@ redo_accept:
                             "signer certificates"))
                 goto end;
         }
-        key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
+        key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL,
                        "signer private key");
         if (key == NULL)
             goto end;

apps/pkcs8.c

@@ -83,7 +83,7 @@ int pkcs8_main(int argc, char **argv)
     char *passin = NULL, *passout = NULL, *p8pass = NULL;
     OPTION_CHOICE o;
     int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
     int private = 0, traditional = 0;
 #ifndef OPENSSL_NO_SCRYPT
     long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
@@ -214,7 +214,8 @@ int pkcs8_main(int argc, char **argv)
     if ((pbe_nid == -1) && cipher == NULL)
         cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
 
-    in = bio_open_default(infile, 'r', informat);
+    in = bio_open_default(infile, 'r',
+                          informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
     if (in == NULL)
         goto end;
     out = bio_open_owner(outfile, outformat, private);
@@ -298,7 +299,7 @@ int pkcs8_main(int argc, char **argv)
     }
 
     if (nocrypt) {
-        if (informat == FORMAT_PEM) {
+        if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) {
             p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL);
         } else if (informat == FORMAT_ASN1) {
             p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
@@ -307,7 +308,7 @@ int pkcs8_main(int argc, char **argv)
             goto end;
         }
     } else {
-        if (informat == FORMAT_PEM) {
+        if (informat == FORMAT_PEM || informat == FORMAT_UNDEF) {
             p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
         } else if (informat == FORMAT_ASN1) {
             p8 = d2i_PKCS8_bio(in, NULL);

apps/pkey.c

@@ -75,7 +75,7 @@ int pkey_main(int argc, char **argv)
     char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL;
     char *passinarg = NULL, *passoutarg = NULL, *ciphername = NULL, *prog;
     OPTION_CHOICE o;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM;
     int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1;
     int private = 0, traditional = 0, check = 0, pub_check = 0;
 #ifndef OPENSSL_NO_EC

apps/pkeyutl.c

@@ -111,7 +111,8 @@ int pkeyutl_main(int argc, char **argv)
     char hexdump = 0, asn1parse = 0, rev = 0, *prog;
     unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
     OPTION_CHOICE o;
-    int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform = FORMAT_PEM;
+    int buf_inlen = 0, siglen = -1;
+    int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
     int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
     int engine_impl = 0;
     int ret = 1, rv = -1;
@@ -555,7 +556,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
         break;
 
     case KEY_CERT:
-        x = load_cert(keyfile, "Certificate");
+        x = load_cert(keyfile, keyform, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);

apps/req.c

@@ -256,7 +256,7 @@ int req_main(int argc, char **argv)
     int days = UNSET_DAYS;
     int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0;
     int pkey_type = -1;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF;
     int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0;
     int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
     long newkey_len = -1;
@@ -762,7 +762,7 @@ int req_main(int argc, char **argv)
             BIO_printf(bio_err,
                        "Ignoring -CAkey option since no -CA option is given\n");
         } else {
-            if ((CAkey = load_key(CAkeyfile, FORMAT_PEM,
+            if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
                                   0, passin, e, "issuer private key")) == NULL)
                 goto end;
         }
@@ -777,7 +777,7 @@ int req_main(int argc, char **argv)
                            "Need to give the -CAkey option if using -CA\n");
                 goto end;
             }
-            if ((CAcert = load_cert_pass(CAfile, 1, passin,
+            if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
                                          "issuer certificate")) == NULL)
                 goto end;
             if (!X509_check_private_key(CAcert, CAkey)) {

apps/rsa.c

@@ -96,7 +96,7 @@ int rsa_main(int argc, char **argv)
     char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     int private = 0;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, check = 0;
     int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
     int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
     OPTION_CHOICE o;
@@ -204,7 +204,7 @@ int rsa_main(int argc, char **argv)
     }
 
     if (pubin) {
-        int tmpformat = -1;
+        int tmpformat = FORMAT_UNDEF;
 
         if (pubin == 2) {
             if (informat == FORMAT_PEM)

apps/rsautl.c

@@ -81,7 +81,7 @@ int rsautl_main(int argc, char **argv)
     char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
     unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING;
     size_t rsa_inlen, rsa_outlen = 0;
-    int keyformat = FORMAT_PEM, keysize, ret = 1, rv;
+    int keyformat = FORMAT_UNDEF, keysize, ret = 1, rv;
     int hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0;
     OPTION_CHOICE o;
 
@@ -196,7 +196,7 @@ int rsautl_main(int argc, char **argv)
         break;
 
     case KEY_CERT:
-        x = load_cert(keyfile, "Certificate");
+        x = load_cert(keyfile, FORMAT_UNDEF, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);

apps/s_client.c

@@ -815,15 +815,15 @@ int s_client_main(int argc, char **argv)
     struct timeval timeout, *timeoutp;
     fd_set readfds, writefds;
     int noCApath = 0, noCAfile = 0, noCAstore = 0;
-    int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
-    int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
+    int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_UNDEF;
+    int key_format = FORMAT_UNDEF, crlf = 0, full_log = 1, mbuf_len = 0;
     int prexit = 0;
     int sdebug = 0;
     int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
     int ret = 1, in_init = 1, i, nbio_test = 0, sock = -1, k, width, state = 0;
     int sbuf_len, sbuf_off, cmdletters = 1;
     int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
-    int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
+    int starttls_proto = PROTO_OFF, crl_format = FORMAT_UNDEF, crl_download = 0;
     int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
     int at_eof = 0;
@@ -1620,7 +1620,8 @@ int s_client_main(int argc, char **argv)
     }
 
     if (cert_file != NULL) {
-        cert = load_cert_pass(cert_file, 1, pass, "client certificate");
+        cert = load_cert_pass(cert_file, cert_format, 1, pass,
+                              "client certificate");
         if (cert == NULL)
             goto end;
     }
@@ -1632,7 +1633,7 @@ int s_client_main(int argc, char **argv)
 
     if (crl_file != NULL) {
         X509_CRL *crl;
-        crl = load_crl(crl_file, 0, "CRL");
+        crl = load_crl(crl_file, crl_format, 0, "CRL");
         if (crl == NULL)
             goto end;
         crls = sk_X509_CRL_new_null();

apps/s_server.c

@@ -978,11 +978,11 @@ int s_server_main(int argc, char *argv[])
     int no_dhe = 0;
     int nocert = 0, ret = 1;
     int noCApath = 0, noCAfile = 0, noCAstore = 0;
-    int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
-    int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
+    int s_cert_format = FORMAT_UNDEF, s_key_format = FORMAT_UNDEF;
+    int s_dcert_format = FORMAT_UNDEF, s_dkey_format = FORMAT_UNDEF;
     int rev = 0, naccept = -1, sdebug = 0;
     int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
-    int state = 0, crl_format = FORMAT_PEM, crl_download = 0;
+    int state = 0, crl_format = FORMAT_UNDEF, crl_download = 0;
     char *host = NULL;
     char *port = OPENSSL_strdup(PORT);
     unsigned char *context = NULL;
@@ -1688,7 +1688,8 @@ int s_server_main(int argc, char *argv[])
         if (s_key == NULL)
             goto end;
 
-        s_cert = load_cert_pass(s_cert_file, 1, pass, "server certificate");
+        s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass,
+                                "server certificate");
 
         if (s_cert == NULL)
             goto end;
@@ -1704,7 +1705,7 @@ int s_server_main(int argc, char *argv[])
             if (s_key2 == NULL)
                 goto end;
 
-            s_cert2 = load_cert_pass(s_cert_file2, 1, pass,
+            s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass,
                                 "second server certificate");
 
             if (s_cert2 == NULL)
@@ -1727,7 +1728,7 @@ int s_server_main(int argc, char *argv[])
 
     if (crl_file != NULL) {
         X509_CRL *crl;
-        crl = load_crl(crl_file, 0, "CRL");
+        crl = load_crl(crl_file, crl_format, 0, "CRL");
         if (crl == NULL)
             goto end;
         crls = sk_X509_CRL_new_null();
@@ -1749,7 +1750,7 @@ int s_server_main(int argc, char *argv[])
         if (s_dkey == NULL)
             goto end;
 
-        s_dcert = load_cert_pass(s_dcert_file, 1, dpass,
+        s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass,
                                  "second server certificate");
 
         if (s_dcert == NULL) {
@@ -1975,9 +1976,9 @@ int s_server_main(int argc, char *argv[])
         EVP_PKEY *dhpkey = NULL;
 
         if (dhfile != NULL)
-            dhpkey = load_keyparams(dhfile, 0, "DH", "DH parameters");
+            dhpkey = load_keyparams(dhfile, FORMAT_UNDEF, 0, "DH", "DH parameters");
         else if (s_cert_file != NULL)
-            dhpkey = load_keyparams(s_cert_file, 0, "DH", "DH parameters");
+            dhpkey = load_keyparams(s_cert_file, FORMAT_UNDEF, 0, "DH", "DH parameters");
 
         if (dhpkey != NULL) {
             BIO_printf(bio_s_out, "Setting temp DH parameters\n");
@@ -2009,7 +2010,8 @@ int s_server_main(int argc, char *argv[])
 
         if (ctx2 != NULL) {
             if (dhfile != NULL) {
-                EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, 0, "DH",
+                EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, FORMAT_UNDEF,
+                                                   0, "DH",
                                                    "DH parameters");
 
                 if (dhpkey2 != NULL) {

apps/smime.c

@@ -151,7 +151,7 @@ int smime_main(int argc, char **argv)
     int noCApath = 0, noCAfile = 0, noCAstore = 0;
     int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
     int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
-        FORMAT_PEM;
+        FORMAT_UNDEF;
     int vpmtouched = 0, rv = 0;
     ENGINE *e = NULL;
     const char *mime_eol = "\n";
@@ -449,7 +449,8 @@ int smime_main(int argc, char **argv)
         if (encerts == NULL)
             goto end;
         while (*argv != NULL) {
-            cert = load_cert(*argv, "recipient certificate file");
+            cert = load_cert(*argv, FORMAT_UNDEF,
+                             "recipient certificate file");
             if (cert == NULL)
                 goto end;
             sk_X509_push(encerts, cert);
@@ -466,7 +467,7 @@ int smime_main(int argc, char **argv)
     }
 
     if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
-        if ((recip = load_cert(recipfile,
+        if ((recip = load_cert(recipfile, FORMAT_UNDEF,
                                "recipient certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -573,7 +574,7 @@ int smime_main(int argc, char **argv)
         for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
             signerfile = sk_OPENSSL_STRING_value(sksigners, i);
             keyfile = sk_OPENSSL_STRING_value(skkeys, i);
-            signer = load_cert(signerfile, "signer certificate");
+            signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate");
             if (signer == NULL)
                 goto end;
             key = load_key(keyfile, keyform, 0, passin, e, "signing key");

apps/spkac.c

@@ -67,7 +67,7 @@ int spkac_main(int argc, char **argv)
     char *spkstr = NULL, *prog;
     const char *spkac = "SPKAC", *spksect = "default";
     int i, ret = 1, verify = 0, noout = 0, pubkey = 0;
-    int keyformat = FORMAT_PEM;
+    int keyformat = FORMAT_UNDEF;
     OPTION_CHOICE o;
 
     prog = opt_init(argc, argv, spkac_options);

apps/storeutl.c

@@ -358,7 +358,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
     int ret = 1, items = 0;
 
     if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata,
-                                        NULL, NULL))
+                                        NULL, NULL, NULL))
         == NULL) {
         BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri);
         ERR_print_errors(bio_err);

apps/verify.c

@@ -253,7 +253,7 @@ static int check(X509_STORE *ctx, const char *file,
     STACK_OF(X509) *chain = NULL;
     int num_untrusted;
 
-    x = load_cert(file, "certificate file");
+    x = load_cert(file, FORMAT_UNDEF, "certificate file");
     if (x == NULL)
         goto end;
 

apps/x509.c

@@ -266,9 +266,9 @@ int x509_main(int argc, char **argv)
     char *prog;
     int days = UNSET_DAYS; /* not explicitly set */
     int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0;
-    int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM;
+    int CAformat = FORMAT_UNDEF, CAkeyformat = FORMAT_UNDEF;
     int fingerprint = 0, reqfile = 0, checkend = 0;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
+    int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF;
     int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0;
     int noout = 0, CA_createserial = 0, email = 0;
     int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
@@ -719,7 +719,7 @@ int x509_main(int argc, char **argv)
             }
         }
     } else {
-        x = load_cert_pass(infile, 1, passin, "certificate");
+        x = load_cert_pass(infile, informat, 1, passin, "certificate");
         if (x == NULL)
             goto end;
     }
@@ -734,7 +734,7 @@ int x509_main(int argc, char **argv)
         goto end;
 
     if (CAfile != NULL) {
-        xca = load_cert_pass(CAfile, 1, passin, "CA certificate");
+        xca = load_cert_pass(CAfile, CAformat, 1, passin, "CA certificate");
         if (xca == NULL)
             goto end;
     }

crypto/pem/pem_pkey.c

@@ -55,7 +55,7 @@ static EVP_PKEY *pem_read_bio_key(BIO *bp, EVP_PKEY **x,
         return NULL;
 
     if ((ctx = OSSL_STORE_attach(bp, "file", libctx, propq, ui_method, u,
-                                 NULL, NULL)) == NULL)
+                                 NULL, NULL, NULL)) == NULL)
         goto err;
 #ifndef OPENSSL_NO_SECURE_HEAP
 # ifndef OPENSSL_NO_DEPRECATED_3_0

crypto/store/store_lib.c

@@ -32,9 +32,37 @@
 
 static int ossl_store_close_it(OSSL_STORE_CTX *ctx);
 
+static int loader_set_params(OSSL_STORE_LOADER *loader,
+                             OSSL_STORE_LOADER_CTX *loader_ctx,
+                             const OSSL_PARAM params[], const char *propq)
+{
+   if (params != NULL) {
+       if (!loader->p_set_ctx_params(loader_ctx, params))
+           return 0;
+   }
+
+   if (propq != NULL) {
+       OSSL_PARAM propp[2];
+
+       if (OSSL_PARAM_locate_const(params,
+                                   OSSL_STORE_PARAM_PROPERTIES) != NULL)
+           /* use the propq from params */
+           return 1;
+
+       propp[0] = OSSL_PARAM_construct_utf8_string(OSSL_STORE_PARAM_PROPERTIES,
+                                                   (char *)propq, 0);
+       propp[1] = OSSL_PARAM_construct_end();
+
+       if (!loader->p_set_ctx_params(loader_ctx, propp))
+           return 0;
+    }
+    return 1;
+}
+
 OSSL_STORE_CTX *
 OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
                    const UI_METHOD *ui_method, void *ui_data,
+                   const OSSL_PARAM params[],
                    OSSL_STORE_post_process_info_fn post_process,
                    void *post_process_data)
 {
@@ -103,18 +131,11 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
             if (loader_ctx == NULL) {
                 OSSL_STORE_LOADER_free(fetched_loader);
                 fetched_loader = NULL;
-            } else if (propq != NULL) {
-                OSSL_PARAM params[2];
-
-                params[0] = OSSL_PARAM_construct_utf8_string(
-                                OSSL_STORE_PARAM_PROPERTIES, (char *)propq, 0);
-                params[1] = OSSL_PARAM_construct_end();
-
-                if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) {
-                    (void)fetched_loader->p_close(loader_ctx);
-                    OSSL_STORE_LOADER_free(fetched_loader);
-                    fetched_loader = NULL;
-                }
+            } else if(!loader_set_params(fetched_loader, loader_ctx,
+                                         params, propq)) {
+                (void)fetched_loader->p_close(loader_ctx);
+                OSSL_STORE_LOADER_free(fetched_loader);
+                fetched_loader = NULL;
             }
             loader = fetched_loader;
         }
@@ -187,8 +208,8 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri,
                                 OSSL_STORE_post_process_info_fn post_process,
                                 void *post_process_data)
 {
-    return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, post_process,
-                              post_process_data);
+    return OSSL_STORE_open_ex(uri, NULL, NULL, ui_method, ui_data, NULL,
+                              post_process, post_process_data);
 }
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
@@ -927,6 +948,7 @@ const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH *criterion)
 OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme,
                                   OSSL_LIB_CTX *libctx, const char *propq,
                                   const UI_METHOD *ui_method, void *ui_data,
+                                  const OSSL_PARAM params[],
                                   OSSL_STORE_post_process_info_fn post_process,
                                   void *post_process_data)
 {
@@ -957,19 +979,11 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme,
             || (loader_ctx = fetched_loader->p_attach(provctx, cbio)) == NULL) {
             OSSL_STORE_LOADER_free(fetched_loader);
             fetched_loader = NULL;
-        } else if (propq != NULL) {
-            OSSL_PARAM params[] = {
-                OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES,
-                                       NULL, 0),
-                OSSL_PARAM_END
-            };
-
-            params[0].data = (void *)propq;
-            if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) {
-                (void)fetched_loader->p_close(loader_ctx);
-                OSSL_STORE_LOADER_free(fetched_loader);
-                fetched_loader = NULL;
-            }
+        } else if (!loader_set_params(fetched_loader, loader_ctx,
+                                      params, propq)) {
+            (void)fetched_loader->p_close(loader_ctx);
+            OSSL_STORE_LOADER_free(fetched_loader);
+            fetched_loader = NULL;
         }
         loader = fetched_loader;
         ossl_core_bio_free(cbio);

crypto/x509/by_store.c

@@ -21,7 +21,8 @@ static int cache_objects(X509_LOOKUP *lctx, const char *uri,
     OSSL_STORE_CTX *ctx = NULL;
     X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
 
-    if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL, NULL)) == NULL)
+    if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL,
+                                  NULL, NULL)) == NULL)
         return 0;
 
     /*

doc/man3/OSSL_STORE_attach.pod

@@ -11,6 +11,7 @@ OSSL_STORE_attach - Functions to read objects from a BIO
  OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme,
                                    OSSL_LIB_CTX *libctx, const char *propq,
                                    const UI_METHOD *ui_method, void *ui_data,
+                                   const OSSL_PARAM params[],
                                    OSSL_STORE_post_process_info_fn post_process,
                                    void *post_process_data);
 

doc/man3/OSSL_STORE_open.pod

@@ -24,6 +24,7 @@ OSSL_STORE_error, OSSL_STORE_close
  OSSL_STORE_CTX *
  OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
                     const UI_METHOD *ui_method, void *ui_data,
+                    const OSSL_PARAM params[],
                     OSSL_STORE_post_process_info_fn post_process,
                     void *post_process_data);
 
@@ -68,6 +69,8 @@ B<OSSL_STORE_CTX> with all necessary internal information.
 The given I<ui_method> and I<ui_data> will be reused by all
 functions that use B<OSSL_STORE_CTX> when interaction is needed,
 for instance to provide a password.
+The auxiliary B<OSSL_PARAM> parameters in I<params> can be set to further
+modify the store operation.
 The given I<post_process> and I<post_process_data> will be reused by
 OSSL_STORE_load() to manipulate or drop the value to be returned.
 The I<post_process> function drops values by returning NULL, which
@@ -76,7 +79,7 @@ the next object, until I<post_process> returns something other than
 NULL, or the end of data is reached as indicated by OSSL_STORE_eof().
 
 OSSL_STORE_open() is similar to OSSL_STORE_open_ex() but uses NULL for
-the library context I<libctx> and property query I<propq>.
+the I<params>, the library context I<libctx> and property query I<propq>.
 
 OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number I<cmd> and
 more arguments not specified here.

include/openssl/core_names.h

@@ -545,6 +545,8 @@ extern "C" {
 
 /* You may want to pass properties for the provider implementation to use */
 #define OSSL_STORE_PARAM_PROPERTIES "properties"   /* utf8_string */
+/* OSSL_DECODER input type if a decoder is used by the store */
+#define OSSL_STORE_PARAM_INPUT_TYPE "input-type"   /* UTF8_STRING */
 
 # ifdef __cplusplus
 }

include/openssl/store.h

@@ -59,6 +59,7 @@ OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, void *ui_data,
 OSSL_STORE_CTX *
 OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
                    const UI_METHOD *ui_method, void *ui_data,
+                   const OSSL_PARAM params[],
                    OSSL_STORE_post_process_info_fn post_process,
                    void *post_process_data);
 
@@ -131,6 +132,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx);
 OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme,
                                   OSSL_LIB_CTX *libctx, const char *propq,
                                   const UI_METHOD *ui_method, void *ui_data,
+                                  const OSSL_PARAM params[],
                                   OSSL_STORE_post_process_info_fn post_process,
                                   void *post_process_data);
 

providers/fips-sources.checksums

@@ -452,7 +452,7 @@ a7f16a6480f5051d1197b992e042a73535d0922bdd3c962d2a96af780994e858  providers/impl
 1cb6ec2efb7b2bb131622aa95e245273f5967065eb0018392ed4ced50d0813b7  providers/implementations/signature/mac_legacy.c
 25fe1a61578d54c3e67b60646f3fd3d0a47ff1d4cd620ef1f1fca3341f2662a2  providers/implementations/signature/rsa.c
 c0a862433e5da909cf0c614d3f982765b67821c7a4cc6257ceb8c490b4dcf732  providers/implementations/signature/sm2sig.c
-c63cb744c26af304cf00006071d3ebd9325a4d65913b75a2bcb1d2e104c734fd  providers/implementations/storemgmt/file_store.c
+e2750b310565e74617310566c1ccfbd75559521117fd8936540fff54dd304902  providers/implementations/storemgmt/file_store.c
 291288936fe321e3e85048366f790f6b7983561cd8f80eec4c0e01d7c43614ab  providers/implementations/storemgmt/file_store_der2obj.c
 04ea01e48b8fee822acb376ab8679b4c627b32ab75c137bf23ebb4fe2a1c0703  providers/prov_running.c
 53a1e913fcc4a4e8e84009229cba60b9e29c7dc6536182fd290478331fad44b4  ssl/record/tls_pad.c

providers/fips.checksum

@@ -1 +1 @@
-b998b19b940b606688e4711014407c48c3fca4c58b2fdc60ac64c1cef94861c1  providers/fips-sources.checksums
+de031c8fbe10ee9b6447dd230956217e599cf923ff36a1026b515c2a22158b37  providers/fips-sources.checksums

providers/implementations/storemgmt/file_store.c

@@ -149,15 +149,11 @@ static OSSL_DECODER_CLEANUP file_load_cleanup;
  *
  */
 static struct file_ctx_st *file_open_stream(BIO *source, const char *uri,
-                                            const char *input_type,
                                             void *provctx)
 {
     struct file_ctx_st *ctx;
 
-    if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL
-        || (input_type != NULL
-            && (ctx->_.file.input_type =
-                OPENSSL_strdup(input_type)) == NULL)) {
+    if ((ctx = new_file_ctx(IS_FILE, uri, provctx)) == NULL) {
         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -285,7 +281,7 @@ static void *file_open(void *provctx, const char *uri)
     if (S_ISDIR(st.st_mode))
         ctx = file_open_dir(path, uri, provctx);
     else if ((bio = BIO_new_file(path, "rb")) == NULL
-             || (ctx = file_open_stream(bio, uri, NULL, provctx)) == NULL)
+             || (ctx = file_open_stream(bio, uri, provctx)) == NULL)
         BIO_free_all(bio);
 
     return ctx;
@@ -299,7 +295,7 @@ void *file_attach(void *provctx, OSSL_CORE_BIO *cin)
     if (new_bio == NULL)
         return NULL;
 
-    ctx = file_open_stream(new_bio, NULL, NULL, provctx);
+    ctx = file_open_stream(new_bio, NULL, provctx);
     if (ctx == NULL)
         BIO_free(new_bio);
     return ctx;
@@ -316,6 +312,7 @@ static const OSSL_PARAM *file_settable_ctx_params(void *provctx)
         OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
         OSSL_PARAM_int(OSSL_STORE_PARAM_EXPECT, NULL),
         OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
+        OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_INPUT_TYPE, NULL, 0),
         OSSL_PARAM_END
     };
     return known_settable_ctx_params;
@@ -329,12 +326,22 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
     if (params == NULL)
         return 1;
 
-    p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
-    if (p != NULL) {
-        OPENSSL_free(ctx->_.file.propq);
-        ctx->_.file.propq = NULL;
-        if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0))
-            return 0;
+    if (ctx->type != IS_DIR) {
+        /* these parameters are ignored for directories */
+        p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
+        if (p != NULL) {
+            OPENSSL_free(ctx->_.file.propq);
+            ctx->_.file.propq = NULL;
+            if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.propq, 0))
+                return 0;
+        }
+        p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_INPUT_TYPE);
+        if (p != NULL) {
+            OPENSSL_free(ctx->_.file.input_type);
+            ctx->_.file.input_type = NULL;
+            if (!OSSL_PARAM_get_utf8_string(p, &ctx->_.file.input_type, 0))
+                return 0;
+        }
     }
     p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_EXPECT);
     if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->expected_type))

test/ossl_store_test.c

@@ -47,7 +47,7 @@ static int test_store_open(void)
           && TEST_ptr(search = OSSL_STORE_SEARCH_by_alias("nothing"))
           && TEST_ptr(ui_method= UI_create_method("DummyUI"))
           && TEST_ptr(sctx = OSSL_STORE_open_ex(input, NULL, NULL, ui_method,
-                                                NULL, NULL, NULL))
+                                                NULL, NULL, NULL, NULL))
           && TEST_false(OSSL_STORE_find(sctx, NULL))
           && TEST_true(OSSL_STORE_find(sctx, search));
     UI_destroy_method(ui_method);
@@ -75,7 +75,7 @@ static int get_params(const char *uri, const char *type)
     OSSL_STORE_INFO *info;
     int ret = 0;
 
-    ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL);
+    ctx = OSSL_STORE_open_ex(uri, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
     if (!TEST_ptr(ctx))
         goto err;
 
@@ -157,7 +157,7 @@ static int test_store_attach_unregistered_scheme(void)
           && TEST_ptr(provider = OSSL_PROVIDER_load(libctx, "default"))
           && TEST_ptr(bio = BIO_new_file(input, "r"))
           && TEST_ptr(store_ctx = OSSL_STORE_attach(bio, "file", libctx, NULL,
-                                                    NULL, NULL, NULL, NULL))
+                                                    NULL, NULL, NULL, NULL, NULL))
           && TEST_int_ne(ERR_GET_LIB(ERR_peek_error()), ERR_LIB_OSSL_STORE)
           && TEST_int_ne(ERR_GET_REASON(ERR_peek_error()),
                          OSSL_STORE_R_UNREGISTERED_SCHEME);